On 2010-04-08 09:59 PST, Robert Relyea wrote: > On 04/07/2010 09:35 PM, Nelson B Bolyard wrote: >>>>> We plan on alerting users in a future update. This is fair warning >>>>> to server operators and those who are debugging their sites. >>>>> >>>> If this is a real threat don't users deserve a fair warning now? >>>> >>> I fully agree! If users are vulnerable now, they should be warned now, >>> (bug 535649 comment #15). The counterargument (comment #24) is that >>> showing the broken SSL UI for almost all sites will "quickly >>> neutraliz[e] the awareness/protection it might offer", >>> >> And that argument is now being successfully used by a lot of companies >> who make products that directly face the end users. They use it to avoid >> doing ANYTHING about this problem. They say "we can't start to warn users >> until a majority of the servers on the net have gotten fixed, so that a >> minority generate the errors." And so users go unwarned, and they remain >> blissfully ignorant of their vulnerability. Coinsequently, they put no >> pressure on servers to get fixed. Consequently, there is NO pressure on >> servers to get fixed, and servers are not getting fixed at all rapidly. >> > What in the world are you talking about here?
You know very well what I'm talking about. > The entire internet is broken right now. Correct. And intranets, too. > Putting a warning dialog up now would only train users > to ignore the warnings (we've seen this in the past). It will do more than that. It will alert people to the fact that the internet and all those intranets are entirely broken right now, a fact to which they are otherwise ENTIRELY IGNORANT. Case in point. I work in a small company, about 600 people. They have an IT department that uses mostly Microsoft servers. They use SSL on every server they can do so, yet all their servers are broken in this way. They are completely unaware of this problem. It will do me NO GOOD to go and tell them that all their servers are broken. They will think I'm a kook. They will say "If our servers are broken, why don't all our client programs complain?" > That is why there > is a console warning. You can still get that information from the > console log, or even set the pref to disallow those connections. In any > case to say that firefox is not doing ANYTHING about the problem is > seriously mischaracterizing the problem. I believe our employees could not find that console report even if they were told about it and told to go look for it. It's too well buried by people who are deathly afraid of giving users a "bad experience". > The current response is in line with other well known and well respected > browsers out there, unless you are acusing Yngve Petterson of security > ignorance or laziness as well. Yngve is also begging the browser community to start sounding the alarm. The browsers are all deathly afraid of doing so. They all say "we will start doing so when all the other browsers start doing so." > .. The warnings will come -- WHEN? In 2010? In 2011? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
